Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix NULL deref on high modification key
2026-03-24 08:12:21 +01:00 · 2025-04-16 11:38:38 +02:00
parent ecd2872cf4 c905d59106
commit bfa2cfc9ed
3 changed files with 19 additions and 3 deletions
--- a/1
+++ b/1
@@ -26,6 +26,7 @@ PHP                                                                        NEWS

 - LDAP:
  . Fixed bug GH-17776 (LDAP_OPT_X_TLS_* options can't be overridden). (Remi)
+  . Fix NULL deref on high modification key. (nielsdos)

 - libxml:
  . Fixed custom external entity loader returning an invalid resource leading
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -2787,12 +2787,12 @@ PHP_FUNCTION(ldap_modify_batch)
 	ldap_mods = safe_emalloc((num_mods+1), sizeof(LDAPMod *), 0);

 	/* for each modification */
-	for (i = 0; i < num_mods; i++) {
+	i = 0;
+	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(mods), fetched) {
 		/* allocate the modification struct */
 		ldap_mods[i] = safe_emalloc(1, sizeof(LDAPMod), 0);

 		/* fetch the relevant data */
-		fetched = zend_hash_index_find(Z_ARRVAL_P(mods), i);
 		mod = fetched;

 		_ldap_hash_fetch(mod, LDAP_MODIFY_BATCH_ATTRIB, &attrib);
@@ -2857,7 +2857,9 @@ PHP_FUNCTION(ldap_modify_batch)
 			/* NULL-terminate values */
 			ldap_mods[i]->mod_bvalues[num_modvals] = NULL;
 		}
-	}
+
+		i++;
+	} ZEND_HASH_FOREACH_END();

 	/* NULL-terminate modifications */
 	ldap_mods[num_mods] = NULL;
--- a/ext/ldap/tests/ldap_modify_batch_error.phpt
+++ b/ext/ldap/tests/ldap_modify_batch_error.phpt
@@ -59,6 +59,16 @@ $mods = array(
    )
 );

+var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods));
+
+// high key with invalid attribute type
+$mods = [
+    99999 => [
+        "attrib"  => "weirdAttribute",
+        "modtype" => LDAP_MODIFY_BATCH_ADD,
+        "values"  => ["value1"],
+    ],
+];
 var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods));
 ?>
 --CLEAN--
@@ -81,3 +91,6 @@ bool(false)

 Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d
 bool(false)
+
+Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d
+bool(false)